Information Security Policies need to be monitored and reviewed on a recurring basis, not just one-time. This is because the threat landscape, technology, and business processes are continually evolving, and policies must adapt to remain effective. A one-time review would not suffice to accommodate the dynamic nature of information security.